Microsoft implements this System and Information Integrity control
Name/Id: ACF1712 / Microsoft Managed Control 1712 Category: System and Information Integrity Title: Software & Information Integrity Ownership: Customer, Microsoft Description: The organization employs integrity verification tools to detect unauthorized changes to software, firmware and information. Requirements: Servers: Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes are reviewed and approved before they are deployed to the Azure production environment. Additionally, builds are digitally signed before they are deployed. If this integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over.
Azure components have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate.
Azure also utilizes Qualys and Azure Security Monitoring (ASM) for integrity scanning to reduce the risk of software components and devices potentially being tampered within the Azure environment. ASM has components that observe, analyze, and report on security events in Azure environment. It complements the Azure security model by examining constraints that should always remain valid, which includes configuration settings.
The Windows operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files. WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source.
In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool.
File Integrity Monitoring (FIM) consists of two elements: system file protection provided by WRP for server baselines, which is built into the operating system; and critical file monitoring provided by a combination of Local Security Policy settings for Windows Audit Object Access together with the appropriate system access control list applied to the files designated as application-critical. WRP is a real-time solution that performs scanning on a continuous basis.
Azure detects changes made to the environment through the Service Fabric and configuration platform, and custom service Monitoring Agents. Changes are detected in real time and the service provisioning and configuration platform performs predefined steps to compare integrity of operating software against released production software versions and reimage the Guest OS with appropriate software files or shut down/restart the Guest OS. If the issue is not resolved by these means, then the system is reimaged, or an alert is generated to the service team.
Azure uses Config Policy Verifier (CPV) and Config Change Reporter (CCR) to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to the network device monitoring tool alarm console regarding deviations of correct operations of security functions. CPV and CCR send alerts upon system startup and/or restart and continuously provide event monitoring and alerting to the Microsoft Operations Center (MOC). The network device monitoring tool consoles reside with the MOC, which provides analysis and routing to the Azure Networking team for remediation. CPV and CCR back up the configuration of network devices, allowing the Azure Networking team to know who made what changes to the system. This captures all changes to the device configuration including who made what changes when. CPV and CCR are real-time solutions that performs scanning on a continuous basis.
In addition to the Azure standard tooling and processes, service teams may use SCOM to monitor Windows operating systems. SCOM provides file integrity validation and protection, as well as the recovery of core system files if any unauthorized changes are detected.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups